Personally identifiable information, personal data, or sensitive data all refer to data that allow you to identify a person. The General Data Protection Regulation (GDPR) [1] recognises the protection of natural persons in relation to the processing of personal data as a fundamental right. When you carry out research involving people, informed consent and protecting your participants are key.

The ethical review process

The research process is hardwired to achieve the above. Before you even start carrying out the research, an ethical review process is usually required – this is meant to help you think about the ethical issues involved in your work. Most research performing organisations have their own research ethics committee to review your planned research. Note that compliance with regulation such as the GDPR is not always monitored during the ethical review process. In these cases, you should ensure you follow the appropriate local approach to ensure your planned research is compliant.

When ethical review is not mandated, CESSDA recommend that you still perform a self-assessment [2]. This will help you appraise your approach and ensure it is safe and scientifically robust.

Collecting data from human participants

After obtaining ethical approval, you can start your research. Collecting data from human participants is subject to their informed consent [3] and the safest approach to this is seeking written consent via a form. This should explain what participation entails, how results will be disseminated and the impact of the project on participants. You must ensure that participants know that they have full freedom of choice. This information should be stored and linked to the published research and data for possible future review. Obviously, by its very nature, consent information is personally identifiable information and should not be available openly. When a consent form is not a viable option, there are several other approaches to obtaining informed consent, as outlined by the UK Data Service [4].

As data controllers, your organisation and you are responsible for protecting participants’ data at every stage of the research: collection, processing and storage. The GDPR states that processing personal data is lawful only in a few scenarios (Art. 6), so do make sure you are in the clear. To lawfully process data received from a third party, you need a data processing agreement (DPA) in place. Amongst other things, this needs to to demonstrate the participants’ consent (Art. 7), identify what will be done with the data and identify the safeguards in place to protect it. Under the GDPR, data processing agreements need to include information on a number of topics (Art. 28) significantly larger than previously required under the 1998 Data Protection Act.

Overall, the GDPR mandates that personal data must be:

1. Processed lawfully, fairly and transparently
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to the least necessary amount
4. Accurate and up to date
5. Kept in a form which permits identification of data subjects for no longer than necessary
6. Processed in a manner that ensures appropriate security.

As data controllers, your organisation and you also need to ensure that any data that leaves your control for processing purposes is similarly protected through cascading agreement(s) with the data processor(s). Data processors may be other organisations or businesses, but also any other third parties processing data on behalf of the controller(s): this includes hosting providers, cloud service providers and software providers. It is worth noting that data controllers and data processors are both liable should a data breach occur.

A research exemption in the GDPR (Art. 89) makes points 1, 2 and 5 above less strict and allows further processing when archiving for the public interest, for scientific or historical research purposes, or statistical purposes. This, however, still requires you to thoroughly protect the study participants’ data.

As a final note, remember that the GDPR is only applicable to data about living persons. No restrictions apply to the data related to deceased individuals.

Data reuse

One of the tensions between data protection and data sharing relates to the reuse of personally identifiable information post-project. In some cases, researchers may plan work that is radically different from that for which consent was originally given. If possible, any informed consent should make provision for future research, but this is not a trivial thing to achieve and good (or even acceptable) practice is still unclear.

An approach being considered (e.g. by some medical research data organisations [5]) is through regular and continued contact with participants, which allows researchers to easily request consent for future or different projects. Keeping the information up to date does have significant resource implications. However, at a minimum, collecting contact information (and asking if participants will allow future contact) should allow for a relatively cost effective approach that could enable some participant’s data to be reused in the future.

The use of historic data (e.g. data collected before the widespread use of consent forms where the participants may still be alive) or data from large-volume social media data streams (e.g. Twitter firehose [6]) pose their own set of unique problems. On the other hand, the GDPR does make explicit provision for “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” (Art. 5) and this type of data may fall under that remit. In the case of historic data as outlined above, if participants can’t be contacted to obtain consent for new research, it may mean that you won’t be able to reuse the data. But here, once again, the concept of “legitimate interest” might provide a way out. If “the reasonable expectations of data subjects based on their relationship with the controller” are such that they could have expected such reuse at the time their data was collected, then it may be possible to reuse it.

As GDPR has yet to kick in all these concepts are still to be tested.

Getting ready for the GDPR

Most organisations are now preparing to deal with the GDPR, which comes into force on 25 May 2018. The Information Commissioner’s Office provides guidance on this, including a self-assessment toolkit [7]. More information is also available on our dedicated page [8].